The GlobalSign PDF at 
https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf
 has LTV with no changes permitted, so it must be possible somehow.

I did some deeper digging on Stack Overflow and found 
https://stackoverflow.com/questions/38856382/ltv-of-certifying-signatures, 
which states it's possible to enable LTV by "Embedding the crl bytes & ocsp 
response in the signature at signing time".

I'll look more closely at this before posting my own question. Thanks!

On 2020/06/24 04:24:25, Tilman Hausherr <thaush...@t-online.de> wrote: 
> Hi,
> 
> I don't know if this is possible. My understanding would be "no". You 
> should ask this on stackoverflow too.
> 
> Adding LTV before signing - I have some doubt too, because you would get 
> the revocation list / the OCSP response before doing the signing. In 
> theory, a certificate could be revoked in the meantime. So this doesn't 
> feel right.
> 
> Tilman
> 
> Am 24.06.2020 um 05:24 schrieb Chris Parton:
> > I have one more question. Completely understand if you've got more 
> > important things to do though :)
> >
> > Adding LTV to my PDF invalidates my certificate when the MDP permission is 
> > set to 1 (no changes permitted).
> >
> > At the moment I'm signing the PDF using CreateSignature, then adding LTV in 
> > a separate run of AddValidationInformation. My hunch is that the 
> > double-saving of the PDF is causing the issue.
> >
> > If you have any thoughts they would be appreciated. In the meanwhile I'll 
> > be trying to sign and add LTV before saving the PDF.
> >
> > If it's any use, I've uploaded unsigned, signed, and LTV signed PDFs to 
> > this public Drive folder: 
> > https://drive.google.com/drive/folders/15uY98ZJYDnpJCtjf2LTheFg4Zu75BBIY?usp=sharing.
> >  signed_with_ltv.pdf is the problematic file.
> >
> > Thanks,
> > Chris
> >
> > On 2020/06/23 18:04:19, Tilman Hausherr <thaush...@t-online.de> wrote:
> >> Another problem is that the "highest" certificate does not have an URL
> >> to download the root. So I can't get that one.
> >>
> >> A solution would be that you change the code so that you keep a set of
> >> certificates that you trust and look there when one is missing.
> >>
> >> Tilman
> >>
> >> Am 23.06.2020 um 19:00 schrieb Tilman Hausherr:
> >>> Hi,
> >>>
> >>> Yeah, the log output is confusing, I'll improve it slightly to output
> >>> what it was searching for. I ran ShowSignature and it's the root
> >>> certificate that is missing in the chain.
> >>>
> >>> Tilman
> >>>
> >>> Am 23.06.2020 um 14:59 schrieb Chris Parton:
> >>>> Hi all, I'm trying to use the example AddValidationInformation[1]
> >>>> class to add LTV to an existing signed PDF. I've tried with a signed
> >>>> PDF of my own, and a sample GlobalSign[2] PDF.
> >>>>
> >>>> In both cases, I get the same error, and a 0kb PDF generated. Logs[4]
> >>>> are at the bottom of this post.
> >>>>
> >>>> Steps to reproduce:
> >>>>    1. git clone g...@github.com:apache/pdfbox.git
> >>>>    2. cd pdfbox/examples
> >>>>    3. mvn clean install
> >>>>    4. Open pdfbox project in IntelliJ
> >>>>    5. Run AddValidationInformation class, with the downloaded
> >>>> GlobalSign pdf as a program argument
> >>>>
> >>>> The GlobalSign PDF has LTV enabled already, but I get the same error
> >>>> on my own document which doesn't have LTV. For my own document, I can
> >>>> enable LTV via Adobe Acrobat's UI[3], which makes me think the
> >>>> document itself is fine.
> >>>>
> >>>> Can anybody shed some light on why this might be happening? The
> >>>> recursive traverseChain() method seems to spin until it hits the end
> >>>> of the certificate chain, and continues to look for an issuer cert.
> >>>>
> >>>> Thanks so much, I appreciate your help! Let me know if you need any
> >>>> more information and I'll do my best to provide it.
> >>>>
> >>>> [1]
> >>>> https://github.com/apache/pdfbox/blob/2.0.20/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
> >>>>
> >>>> [2]
> >>>> https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf
> >>>>
> >>>> [3]
> >>>> https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/#enable
> >>>>
> >>>> [4] App logs
> >>>> Jun. 23, 2020 10:51:19 PM
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector
> >>>> getAlternativeIssuerCertificate
> >>>> INFO: Get alternative issuer certificate from:
> >>>> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
> >>>> Jun. 23, 2020 10:51:19 PM
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector
> >>>> getAlternativeIssuerCertificate
> >>>> INFO: Get alternative issuer certificate from:
> >>>> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
> >>>> Jun. 23, 2020 10:51:19 PM
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector
> >>>> getAlternativeIssuerCertificate
> >>>> SEVERE: Error getting alternative issuer certificate from
> >>>> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
> >>>> java.io.IOException: No Issuer Certificate found for Cert:
> >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
> >>>>
> >>>> Jun. 23, 2020 10:51:19 PM
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector
> >>>> traverseChain
> >>>> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for
> >>>> AATL, O=GlobalSign nv-sa, C=BE
> >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >>>> Jun. 23, 2020 10:51:19 PM
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector
> >>>> getAlternativeIssuerCertificate
> >>>> SEVERE: Error getting alternative issuer certificate from
> >>>> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
> >>>> java.io.IOException: No Issuer Certificate found for Cert:
> >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
> >>>>
> >>>> Jun. 23, 2020 10:51:19 PM
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector
> >>>> traverseChain
> >>>> INFO: Found the right Issuer Cert! for Cert:
> >>>> EMAILADDRESS=market...@globalsign.com, CN=Marketing, O="GMO
> >>>> GlobalSign, Inc.", L=Portsmouth, ST=New Hampshire, C=US
> >>>> CN=GlobalSign CA 2 for AATL, O=GlobalSign nv-sa, C=BE
> >>>> Jun. 23, 2020 10:51:19 PM
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector
> >>>> traverseChain
> >>>> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for
> >>>> AATL, O=GlobalSign nv-sa, C=BE
> >>>> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >>>> Exception in thread "main" java.io.IOException: No Issuer Certificate
> >>>> found for Cert: CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign
> >>>> nv-sa, C=BE
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
> >>>>      at
> >>>> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> >>>> For additional commands, e-mail: users-h...@pdfbox.apache.org
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> >>> For additional commands, e-mail: users-h...@pdfbox.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> >> For additional commands, e-mail: users-h...@pdfbox.apache.org
> >>
> >>
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> > For additional commands, e-mail: users-h...@pdfbox.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> For additional commands, e-mail: users-h...@pdfbox.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org

Reply via email to